ElasticSearch Detection version of SOC prime watcher rules with some new Corelight rules
Please note some of these rules should be tuned to your environment.
To load in Elastic, download the ndjson and expand Security and go to alerts. Click on Managed Alerts and click import rules and upload the file to Elastic. This will create two new tags one Zeek - These rules will work on OS Zeek and Corelight, and the other Corelight will only work with Corelight Data.